EUVD-2021-27292

Malware in sbrugna...

EUVD-2025-7731

Malicious code in bioql PyPI...

EUVD-2024-34319

Malicious code in bioql PyPI...

CVE-2025-50181 urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attemptin...

GHSA-48P4-8XCF-VXJ5 urllib3 does not control redirects in browsers and Node.js

urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects. However, the retries...

urllib3 does not control redirects in browsers and Node.js

urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects. However, the retries...

urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation

urllib3 handles redirects and retries using the same mechanism, which is controlled by the Retry object. The most common way to disable redirects is at the request level, as follows: python resp = urllib3.request"GET", "https://httpbin.org/redirect/1", redirect=False printresp.status 302 However,...

CVE-2024-13957

SSRF Server Side Request Forgery vulnerabilities exist in ASPECT if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3...

CVE-2020-16171

An issue was discovered in Acronis Cyber Backup before 12.5 Build 16342. Some API endpoints on port 9877 under /api/ams/ accept an additional custom Shard header. The value of this header is afterwards used in a separate web request issued by the application itself. This can be abused to conduct...

CVE-2024-10457

CVE-2024-10457 describes multiple SSRF vulnerabilities in the significant-gravitas/autogpt project (agpt-platform-beta-v0.1.1). The issues arise when inputs to a set of GitHub integration and web-search blocks are controlled by untrusted sources, enabling requests to internal or attacker-controll...

CVE-2024-10457 SSRF Vulnerabilities in significant-gravitas/autogpt

Multiple Server-Side Request Forgery SSRF vulnerabilities were identified in the significant-gravitas/autogpt repository, specifically in the GitHub Integration and Web Search blocks. These vulnerabilities affect version agpt-platform-beta-v0.1.1. The issues arise when block inputs are controlled...

Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack

Threat intelligence firm GreyNoise is warning of a "coordinated surge" in the exploitation of Server-Side Request Forgery SSRF vulnerabilities spanning multiple platforms. "At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack...

BIT-PYTHON-MIN-2024-11168 Improper validation of IPv6 and IPvFuture addresses

The urllib.parse.urlsplit and urlparse functions improperly validated bracketed hosts , allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser...

IBM: SSRF and secret key disclosure found on Turbonomic endpoint

The SSRF and secret key disclosure vulnerabilities found on the Turbonomic endpoint were reported to IBM, analyzed, and remediated...

SUSE-SU-2024:0728-1 Security update for nodejs16

This update for nodejs16 fixes the following issues: Security issues fixed: CVE-2023-46809: Node.js is vulnerable to the Marvin Attack timing variant of the Bleichenbacher attack against PKCS1 v1.5 padding bsc1219997. CVE-2024-22019: http: Reading unprocessed HTTP request with unbounded chunk...

Microsoft は、Azure クラウド サービスにおける 4 つの SSRF の脆弱性を解決しました。

本ブログは、Microsoft resolves four SSRF vulnerabilities in Azure cloud services の抄訳版です。最新の情報は原文を参照してください。 概要...

Microsoft resolves four SSRF vulnerabilities in Azure cloud services

Summary Microsoft recently fixed a set of Server-Side Request Forgery SSRF vulnerabilities in four Azure services Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins reported by Orca Security. These SSRF vulnerabilities were determined to be low risk as they do...

CVE-2022-38203 The allowedProxyHosts property is not fully honored in ArcGIS Enterprise (10.8.1 and 10.7.1 only)

Protections against potential Server-Side Request Forgery SSRF vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeratio...

autoSSRF - Smart Context-Based SSRF Vulnerabiltiy Scanner

autoSSRF is your best ally for identifying SSRF vulnerabilities at scale. Different from other ssrf automation tools, this one comes with the two following original features : Smart fuzzing on relevant SSRF GET parameters When fuzzing, autoSSRF only focuses on the common parameters related to SSR...

in detekt/detekt

Description The read function makes use of SAXParser generated from a SAXParserFactory with no FEATURESECUREPROCESSING set, allowing for XXE attacks. In...